Merge tag 'fs_for_v6.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs

+9 -2

fs/ext2/balloc.c

··· 77 77 ext2_grpblk_t next_zero_bit; 78 78 ext2_fsblk_t bitmap_blk; 79 79 ext2_fsblk_t group_first_block; 80 + ext2_grpblk_t max_bit; 80 81 81 82 group_first_block = ext2_group_first_block_no(sb, block_group); 83 + max_bit = ext2_group_last_block_no(sb, block_group) - group_first_block; 82 84 83 85 /* check whether block bitmap block number is set */ 84 86 bitmap_blk = le32_to_cpu(desc->bg_block_bitmap); 85 87 offset = bitmap_blk - group_first_block; 86 - if (!ext2_test_bit(offset, bh->b_data)) 88 + if (offset < 0 || offset > max_bit || 89 + !ext2_test_bit(offset, bh->b_data)) 87 90 /* bad block bitmap */ 88 91 goto err_out; 89 92 90 93 /* check whether the inode bitmap block number is set */ 91 94 bitmap_blk = le32_to_cpu(desc->bg_inode_bitmap); 92 95 offset = bitmap_blk - group_first_block; 93 - if (!ext2_test_bit(offset, bh->b_data)) 96 + if (offset < 0 || offset > max_bit || 97 + !ext2_test_bit(offset, bh->b_data)) 94 98 /* bad block bitmap */ 95 99 goto err_out; 96 100 97 101 /* check whether the inode table block number is set */ 98 102 bitmap_blk = le32_to_cpu(desc->bg_inode_table); 99 103 offset = bitmap_blk - group_first_block; 104 + if (offset < 0 || offset > max_bit || 105 + offset + EXT2_SB(sb)->s_itb_per_group - 1 > max_bit) 106 + goto err_out; 100 107 next_zero_bit = ext2_find_next_zero_bit(bh->b_data, 101 108 offset + EXT2_SB(sb)->s_itb_per_group, 102 109 offset);

+1

fs/isofs/inode.c

··· 1617 1617 1618 1618 module_init(init_iso9660_fs) 1619 1619 module_exit(exit_iso9660_fs) 1620 + MODULE_DESCRIPTION("ISO 9660 CDROM file system support"); 1620 1621 MODULE_LICENSE("GPL");

+1

fs/jbd2/journal.c

··· 3181 3181 jbd2_journal_destroy_caches(); 3182 3182 } 3183 3183 3184 + MODULE_DESCRIPTION("Generic filesystem journal-writing module"); 3184 3185 MODULE_LICENSE("GPL"); 3185 3186 module_init(journal_init); 3186 3187 module_exit(journal_exit);

+29 -45

fs/udf/balloc.c

··· 18 18 #include "udfdecl.h" 19 19 20 20 #include <linux/bitops.h> 21 + #include <linux/overflow.h> 21 22 22 23 #include "udf_i.h" 23 24 #include "udf_sb.h" ··· 65 64 } 66 65 67 66 for (i = 0; i < count; i++) 68 - if (udf_test_bit(i + off, bh->b_data)) 67 + if (udf_test_bit(i + off, bh->b_data)) { 68 + bitmap->s_block_bitmap[bitmap_nr] = 69 + ERR_PTR(-EFSCORRUPTED); 70 + brelse(bh); 69 71 return -EFSCORRUPTED; 72 + } 70 73 return 0; 71 74 } 72 75 73 - static int __load_block_bitmap(struct super_block *sb, 74 - struct udf_bitmap *bitmap, 75 - unsigned int block_group) 76 + static int load_block_bitmap(struct super_block *sb, 77 + struct udf_bitmap *bitmap, 78 + unsigned int block_group) 76 79 { 77 80 int retval = 0; 78 81 int nr_groups = bitmap->s_nr_groups; ··· 86 81 block_group, nr_groups); 87 82 } 88 83 89 - if (bitmap->s_block_bitmap[block_group]) 84 + if (bitmap->s_block_bitmap[block_group]) { 85 + /* 86 + * The bitmap failed verification in the past. No point in 87 + * trying again. 88 + */ 89 + if (IS_ERR(bitmap->s_block_bitmap[block_group])) 90 + return PTR_ERR(bitmap->s_block_bitmap[block_group]); 90 91 return block_group; 92 + } 91 93 92 94 retval = read_block_bitmap(sb, bitmap, block_group, block_group); 93 95 if (retval < 0) 94 96 return retval; 95 97 96 98 return block_group; 97 - } 98 - 99 - static inline int load_block_bitmap(struct super_block *sb, 100 - struct udf_bitmap *bitmap, 101 - unsigned int block_group) 102 - { 103 - int slot; 104 - 105 - slot = __load_block_bitmap(sb, bitmap, block_group); 106 - 107 - if (slot < 0) 108 - return slot; 109 - 110 - if (!bitmap->s_block_bitmap[slot]) 111 - return -EIO; 112 - 113 - return slot; 114 99 } 115 100 116 101 static void udf_add_free_space(struct super_block *sb, u16 partition, u32 cnt) ··· 124 129 { 125 130 struct udf_sb_info *sbi = UDF_SB(sb); 126 131 struct buffer_head *bh = NULL; 127 - struct udf_part_map *partmap; 128 132 unsigned long block; 129 133 unsigned long block_group; 130 134 unsigned long bit; ··· 132 138 unsigned long overflow; 133 139 134 140 mutex_lock(&sbi->s_alloc_mutex); 135 - partmap = &sbi->s_partmaps[bloc->partitionReferenceNum]; 136 - if (bloc->logicalBlockNum + count < count || 137 - (bloc->logicalBlockNum + count) > partmap->s_partition_len) { 138 - udf_debug("%u < %d || %u + %u > %u\n", 139 - bloc->logicalBlockNum, 0, 140 - bloc->logicalBlockNum, count, 141 - partmap->s_partition_len); 142 - goto error_return; 143 - } 144 - 141 + /* We make sure this cannot overflow when mounting the filesystem */ 145 142 block = bloc->logicalBlockNum + offset + 146 143 (sizeof(struct spaceBitmapDesc) << 3); 147 - 148 144 do { 149 145 overflow = 0; 150 146 block_group = block >> (sb->s_blocksize_bits + 3); ··· 364 380 uint32_t count) 365 381 { 366 382 struct udf_sb_info *sbi = UDF_SB(sb); 367 - struct udf_part_map *partmap; 368 383 uint32_t start, end; 369 384 uint32_t elen; 370 385 struct kernel_lb_addr eloc; ··· 372 389 struct udf_inode_info *iinfo; 373 390 374 391 mutex_lock(&sbi->s_alloc_mutex); 375 - partmap = &sbi->s_partmaps[bloc->partitionReferenceNum]; 376 - if (bloc->logicalBlockNum + count < count || 377 - (bloc->logicalBlockNum + count) > partmap->s_partition_len) { 378 - udf_debug("%u < %d || %u + %u > %u\n", 379 - bloc->logicalBlockNum, 0, 380 - bloc->logicalBlockNum, count, 381 - partmap->s_partition_len); 382 - goto error_return; 383 - } 384 - 385 392 iinfo = UDF_I(table); 386 393 udf_add_free_space(sb, sbi->s_partition, count); 387 394 ··· 646 673 { 647 674 uint16_t partition = bloc->partitionReferenceNum; 648 675 struct udf_part_map *map = &UDF_SB(sb)->s_partmaps[partition]; 676 + uint32_t blk; 677 + 678 + if (check_add_overflow(bloc->logicalBlockNum, offset, &blk) || 679 + check_add_overflow(blk, count, &blk) || 680 + bloc->logicalBlockNum + count > map->s_partition_len) { 681 + udf_debug("Invalid request to free blocks: (%d, %u), off %u, " 682 + "len %u, partition len %u\n", 683 + partition, bloc->logicalBlockNum, offset, count, 684 + map->s_partition_len); 685 + return; 686 + } 649 687 650 688 if (map->s_partition_flags & UDF_PART_FLAG_UNALLOC_BITMAP) { 651 689 udf_bitmap_free_blocks(sb, map->s_uspace.s_bitmap,

+2

fs/udf/file.c

··· 232 232 233 233 if ((attr->ia_valid & ATTR_SIZE) && 234 234 attr->ia_size != i_size_read(inode)) { 235 + filemap_invalidate_lock(inode->i_mapping); 235 236 error = udf_setsize(inode, attr->ia_size); 237 + filemap_invalidate_unlock(inode->i_mapping); 236 238 if (error) 237 239 return error; 238 240 }

+4 -9

fs/udf/inode.c

··· 1247 1247 if (!(S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode) || 1248 1248 S_ISLNK(inode->i_mode))) 1249 1249 return -EINVAL; 1250 - if (IS_APPEND(inode) || IS_IMMUTABLE(inode)) 1251 - return -EPERM; 1252 1250 1253 - filemap_invalidate_lock(inode->i_mapping); 1254 1251 iinfo = UDF_I(inode); 1255 1252 if (newsize > inode->i_size) { 1256 1253 if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) { ··· 1260 1263 } 1261 1264 err = udf_expand_file_adinicb(inode); 1262 1265 if (err) 1263 - goto out_unlock; 1266 + return err; 1264 1267 } 1265 1268 err = udf_extend_file(inode, newsize); 1266 1269 if (err) 1267 - goto out_unlock; 1270 + return err; 1268 1271 set_size: 1269 1272 truncate_setsize(inode, newsize); 1270 1273 } else { ··· 1282 1285 err = block_truncate_page(inode->i_mapping, newsize, 1283 1286 udf_get_block); 1284 1287 if (err) 1285 - goto out_unlock; 1288 + return err; 1286 1289 truncate_setsize(inode, newsize); 1287 1290 down_write(&iinfo->i_data_sem); 1288 1291 udf_clear_extent_cache(inode); 1289 1292 err = udf_truncate_extents(inode); 1290 1293 up_write(&iinfo->i_data_sem); 1291 1294 if (err) 1292 - goto out_unlock; 1295 + return err; 1293 1296 } 1294 1297 update_time: 1295 1298 inode_set_mtime_to_ts(inode, inode_set_ctime_current(inode)); ··· 1297 1300 udf_sync_inode(inode); 1298 1301 else 1299 1302 mark_inode_dirty(inode); 1300 - out_unlock: 1301 - filemap_invalidate_unlock(inode->i_mapping); 1302 1303 return err; 1303 1304 } 1304 1305

-2

fs/udf/namei.c

··· 876 876 if (has_diriter) { 877 877 diriter.fi.icb.extLocation = 878 878 cpu_to_lelb(UDF_I(new_dir)->i_location); 879 - udf_update_tag((char *)&diriter.fi, 880 - udf_dir_entry_len(&diriter.fi)); 881 879 udf_fiiter_write_fi(&diriter, NULL); 882 880 udf_fiiter_release(&diriter); 883 881 }

+17 -1

fs/udf/super.c

··· 336 336 int nr_groups = bitmap->s_nr_groups; 337 337 338 338 for (i = 0; i < nr_groups; i++) 339 - brelse(bitmap->s_block_bitmap[i]); 339 + if (!IS_ERR_OR_NULL(bitmap->s_block_bitmap[i])) 340 + brelse(bitmap->s_block_bitmap[i]); 340 341 341 342 kvfree(bitmap); 342 343 } ··· 1111 1110 struct udf_part_map *map; 1112 1111 struct udf_sb_info *sbi = UDF_SB(sb); 1113 1112 struct partitionHeaderDesc *phd; 1113 + u32 sum; 1114 1114 int err; 1115 1115 1116 1116 map = &sbi->s_partmaps[p_index]; 1117 1117 1118 1118 map->s_partition_len = le32_to_cpu(p->partitionLength); /* blocks */ 1119 1119 map->s_partition_root = le32_to_cpu(p->partitionStartingLocation); 1120 + if (check_add_overflow(map->s_partition_root, map->s_partition_len, 1121 + &sum)) { 1122 + udf_err(sb, "Partition %d has invalid location %u + %u\n", 1123 + p_index, map->s_partition_root, map->s_partition_len); 1124 + return -EFSCORRUPTED; 1125 + } 1120 1126 1121 1127 if (p->accessType == cpu_to_le32(PD_ACCESS_TYPE_READ_ONLY)) 1122 1128 map->s_partition_flags |= UDF_PART_FLAG_READ_ONLY; ··· 1179 1171 bitmap->s_extPosition = le32_to_cpu( 1180 1172 phd->unallocSpaceBitmap.extPosition); 1181 1173 map->s_partition_flags |= UDF_PART_FLAG_UNALLOC_BITMAP; 1174 + /* Check whether math over bitmap won't overflow. */ 1175 + if (check_add_overflow(map->s_partition_len, 1176 + sizeof(struct spaceBitmapDesc) << 3, 1177 + &sum)) { 1178 + udf_err(sb, "Partition %d is too long (%u)\n", p_index, 1179 + map->s_partition_len); 1180 + return -EFSCORRUPTED; 1181 + } 1182 1182 udf_debug("unallocSpaceBitmap (part %d) @ %u\n", 1183 1183 p_index, bitmap->s_extPosition); 1184 1184 }

Configure Feed

Configure Feed